Compromises in 2009 affecting 10,000 or more

Compromises in 2009 affecting less than 10,000
Compromises in 2009 affecting an unknown, or undisclosed number

01/06/2009 CheckFree Corp.

a Financial or Insurance Services firm in Atlanta, Georgia
5,000,000 financial accounts compromised
CheckFree Corp. and some of the banks that use its electronic bill payment service say that criminals took control of several of the company’s Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. The company believes that about 160,000 consumers were exposed to the Ukrainian attack site. However, because the company lost control of its Web domains, it doesn’t know exactly who was hit. It has warned a much larger number of customers. This breach was initially reported on December 3, 2008.

01/20/2009 Heartland Payment Systems

a Financial or Insurance Services firm in Princeton, New Jersey
130,000,000 financial accounts compromised
Last week, after being notified by charge card providers, the company found evidence of malicious software that compromised card data that passed through Heartland’s network. There are many details.

01/20/2009 Kanawha-Charleston Health Department

Government in Charleston, West Virginia
11,000 non-financial accounts compromised
People who received flu shots from the agency since October are being warned that their personal information may have been stolen by a former department temporary worker. Information included their names, Social Security numbers, addresses and other personal information.

02/05/2009 phpBB.com

a business other than retail in Bellevue, Washington
400,000 non-financial accounts compromised
A popular bulletin board software package has been taken offline following a security breach that gave an attacker full access to a database containing names, email, address, and hashed passwords for its entire user base. The attacker gained access through an unpatched security bug in PHPlist, a third-party email application.

02/06/2009 Kaiser Permanente

a healthcare provider or servicer in Oakland, California
29,500 non-financial accounts compromised
A law enforcement agency seized a computer file with Kaiser data from a person who was subsequently arrested. The suspect was not a Kaiser employee. Kaiser Permanente is notifying nearly 30,000 Northern California employees that the security breach may have led to the release of their personal information. The stolen information included names, addresses, dates of birth and Social Security numbers for Kaiser employees.(877) 281-3573

UPDATE(9/28/2011): A former benefits clerk from Service Employees International Union-affiliated United Healthcare Workers West (SEIU-UHW) was sentenced to 12 years and four months in prison for stealing Kaiser union employee information.

02/09/2009 Federal Aviation Administration

Federal Government in Washington, DC
48,000 non-financial accounts compromised
Hackers broke into the Federal Aviation Administration’s computer system, accessing the names and Social Security numbers of employees and retirees.

02/13/2009 University of Alabama

an educational institution in Tuscaloosa, Alabama
37,000 non-financial accounts compromised
Seventeen of 400 databases were tapped by hackers. Personal information may have been stolen. One of those computers contained lab results for people tested at the campus medical center. The servers had a database containing 37,000 records of lab data. They contain the names, addresses, birthdates and Social Security numbers of each person who has had lab work, such as a blood or urine test, done on the UA campus since 1994.

02/16/2009 Wyndham Hotels & Resorts

a business other than retail in Parsippany, New Jersey
21,000 financial accounts compromised
In mid-September 2008, the company discovered that a sophisticated hacker penetrated the computer systems of one of the hotels. By going through the centralized network connection, the hacker was then able to access and download information from several, but not all, of the other WHR properties and create a unique file containing payment card information of a small percentage of WHR customers. Potentially exposed through this breach are guest and/or cardholder names and card numbers, expiration dates and other data from the card’s magnetic stripe.

[ http://www.wyndhamworldwide.com/customer_care/data-claim.cfm ]

02/17/2009 Broome Community College

an educational institution in Binghamton, New York
14,000 non-financial accounts compromised
Broome Community College, sent out a mailing last week with Social Security number posted prominently on the back cover. The winter/spring 2009 alumni magazine was mailed to 28,000 people, it assumed that less than 14,000 copies had Social Security numbers on the magazine.

02/18/2009 Rio Grande Food Project

a Non-Governmental Organization (includes non-profits) in Albuquerque, New Mexico
36,000 non-financial accounts compromised
A food pantry is warning its clients that tens of thousands of them are at risk for identity theft after a laptop computer containing their personal information was stolen. The computer contained sensitive personal data including addresses, birth dates and Social Security numbers.

02/19/2009 University of Florida

an educational institution in Gainesville, Florida
97,200 non-financial accounts compromised
A foreign hacker gained access to a University of Florida computer system containing the personal information of students, faculty and staff. The files included the names and Social Security numbers of individuals who used UF’s Grove computer system Since 1996. (877) 657-9133

02/20/2009 Arkansas Department of Information Systems, Information Vaulting Services

State Government in Little Rock, Arkansas
807,000 non-financial accounts compromised
A computer storage tape with data from criminal background checks dating back to the mid-1990s is missing from an information-protection company’s vault. The background-check information includes names, dates of birth, Social Security numbers and addresses. (888) 682-0411

[ http://notify.arkansas.gov ]

03/04/2009 New York City Police Department

City Government in New York, New York
80,000 financial accounts compromised
A civilian employee of the department’s pension fund is accused of stealing eight tapes containing the Social Security numbers and direct-deposit information for 80,000 current and retired cops. The employee, who served as the pension fund’s director of communications, has been charged with computer trespass, burglary and grand larceny. He is accused of removing the tapes from a backup data warehouse on Staten Island after disabling security cameras. Police found the missing tapes at his home before arresting him.

03/07/2009 Idaho National Laboratory

Federal Government in Idaho Falls, Idaho
59,000 non-financial accounts compromised
Idaho’s Congressional Delegation this week announced a potential identity theft threat involving information from 59,000 present and former workers at the Idaho National Laboratory at Idaho Falls. DOE notified delegation members that an encoded disc containing personal data from the employees was either lost or stolen in transit via United Parcel Service. The package, originally shipped from New York to Maryland, was found damaged.

03/11/2009 Binghamton University

an educational institution in Binghamton, New York
100,000 financial accounts compromised
Binghamton University kept payment information for every student, possibly dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. The information itself contained Social Security numbers, credit card numbers, scans of tax forms, business information (including Social Security numbers and salary information for employees of students’ parents), asylum records and more, all kept in a haphazard and disorganized fashion, sprawled out in boxes, in unlocked (yet lockable) filing cabinets and shelving units. If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would effect, roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people effect lies well in the hundred thousands.

03/12/2009 Dezonia Group

a business other than retail in Chicago, Illinois
63,000 non-financial accounts compromised
The city of Chicago bills people for ambulance rides — $600 and up. It uses a third party, Dezonia Group, for billing. An employee’s laptop, containing patient names, addresses and Social Security numbers, was stolen from the company. Reports differ as to whether or not the data was encrypted.

03/18/2009 Walgreens Health Initiative

a healthcare provider or servicer in Deerfield, Illinois
28,000 non-financial accounts compromised
Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed to the Kentucky Retirement Systems without being properly encrypted for security purposes by its pharmacy benefit provider. The e-mail contained dates of birth, Social Security numbers and health insurance claim numbers but not personal health information. The file contained information only on members who were both Medicare-eligible and used the retiree pharmacy benefit through Walgreens in 2007. (866) 292-9063

04/08/2009 Metro Nashville School/Public Consulting Group

an educational institution in Nashville, Tennessee
18,000 non-financial accounts compromised
Metro Nashville students’ names, Social Security numbers, addresses and dates of birth and parents’ demographic information were available by searching Google. A private contractor unintentionally put student data on a computer Web server that wasn’t secure. The data was available online from Dec. 28 to March 31. (615) 259-INFO (4636)

04/09/2009 Penn State Erie/Behrend College

an educational institution in Erie, Pennsylvania
10,868 non-financial accounts compromised
On March 23, the University confirmed that 10,868 Social Security numbers in historical data on a computer at Penn State Erie, The Behrend College, could have been breached. Longstanding security measures, designed to protect the network and systems from malicious software, alerted the University to the potential breach. As soon as the University became aware of the malicious software on this computer, the computer was immediately taken off line, data was examined and information was removed.

04/11/2009 Peninsula Orthopaedic Associates

a healthcare provider or servicer in Salisbury, Maryland
100,000 non-financial accounts compromised
As many as 100,000 patients of Peninsula Orthopaedic Associates are being warned to protect themselves against identity theft after tapes containing patient information were stolen. Patients also were advised to keep an eye on benefits statements from their health insurance companies since they may also be at risk for medical identity theft. The records from Peninsula Orthopaedic were stolen March 25 while in transport to an off-site storage facility. Patients’ personal information including their Social Security numbers, employers and health insurance plan numbers may have been among the information stolen.

04/13/2009 Moses Cone Hospital

a healthcare provider or servicer in Greensboro, North Carolina
14,380 non-financial accounts compromised
Moses Cone Hospital is offering free credit monitoring to 14,380 patients after a laptop computer containing confidential information was stolen from a VHA employee’s car. The information on the laptop, including patients’ Social Security numbers.

04/23/2009 Oklahoma Department of Human Services

State Government in Oklahoma City, Oklahoma
1,000,000 non-financial accounts compromised
Some personal information may have been contained on a laptop computer stolen from an agency employee. Information on the stolen computer included names, Social Security numbers and dates of birth for people who receive DHS services. (866) 287-0371

04/29/2009 Oklahoma Housing Finance Agency

State Government in Oklahoma City, Oklahoma
225,000 non-financial accounts compromised
A laptop computer containing the personal information of about 225,000 Oklahomans was stolen from a city home last week. The names, Social Security numbers, tax identification numbers, birth dates and addresses of clients of the Section 8 Housing Voucher Program were on an employee’s laptop that was stolen.

05/01/2009 LexisNexis, Investigative Professionals

a business other than retail in Miamisburg, Ohio
40,000 financial accounts compromised
Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 individuals whose sensitive and personally identifiable information may have been viewed by individuals who did not have legitimate access. The data breach is linked to a Nigerian scam artist who used the information to incur fraudulent charges on victims’ credit cards. Of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards. The private information viewed included names, dates of birth and possibly Social Security numbers.

05/04/2009 Kapiolani Community College

an educational institution in Honolulu, Hawaii
15,487 non-financial accounts compromised
More than 15,000 students at Kapiolani Community College are at risk of identity theft because of an Internet security breach. School officials found that a computer was infected with malware that can steal sensitive data. The computer contained the personal information of 15,487 students who applied for financial aid between January 2004 and April 15. The computer did not have sensitive information, but it was hooked up to a network that had access to names, addresses, phone numbers dates of birth and Social Security numbers.

05/04/2009 Virginia Prescription Monitoring Program

a healthcare provider or servicer in Richmond, Virginia
531,400 non-financial accounts compromised
The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom for the return of millions of personal pharmaceutical records they say they stole from the state’s prescription drug database. A notice posted on the DHP Web site acknowledged that the site is currently experiencing technical difficulties which affect computer and e-mail systems. Some customer identification numbers, which may be Social Security numbers, were included, but medical histories were not.

UPDATE (6/4/2009): The state is mailing individual notifications to 530,000 people whose prescription records may have contained Social Security numbers. In addition, 1,400 registered users of the database, mostly doctors and pharmacists, who may have provided Social Security numbers when they registered for the program, are being notified. The database that was hacked contained records of more than 35 million prescriptions dispensed since 2006 for certain federally controlled drugs with a high potential for abuse.

05/05/2009 Fulton County Board of Registration and Elections

County Government in Atlanta, Georgia
99,000 non-financial accounts compromised
Boxes were found in a trash bin at Atlanta Technical College. They contained about 75,000 voter registration application cards and 24,000 precinct cards. Many of the documents contained personal information on active voters, such as full names and Social Security numbers.

05/07/2009 University of California, Berkeley

an educational institution in Berkeley, California
160,000 non-financial accounts compromised
Hackers infiltrated restricted computer databases. Personal information of 160,000 current and former students and alumni may have been stolen. The University says Social Security numbers, health insurance information and non-treatment medical records dating back to 1999 were accessed. The breach was discovered April 21, 2009, when administrators performing routine maintenance identified messages left by the hackers. They found that restricted electronic databases had been illegally accessed by hackers beginning on October 9, 2008 and continued until April 6, 2009. All of the exposed databases were removed from service to prevent further attacks.

[ http://datatheft.berkeley.edu ]

05/07/2009 Patco

A construction firm in Sanford, Maine
One account was compromised, their own at Ocean Bank

Confidential banking credentials were compromised and crooks made a series of transfers totaling $56,594 to several individuals that had no prior businesses with Patco. The fraud continued during the business week and the crooks eventually made transfers totaling $588,000. The fraud was discovered on 5/13/2009 when a notice from Ocean Bank reported some recent transfers had been rejected because the crooks tried to do transfers to account numbers which were invalid. The story, the lawsuit, and many links. For more on what happened and whether or not the company recovered from their bank see Who Loses.

05/12/2009 Johns Hopkins Hospital

a healthcare provider or servicer in Baltimore, Maryland
10,200 non-financial accounts compromised
An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers’ licenses in Virginia. The employee had access to information such as name, address, telephone number, mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information.

UPDATE (10/1/10 via PHIPrivacy.net): The former employee and four others were indicted for fraud and aggravated identity theft. They are charged with using patient information to create fraudulent credit accounts. The former employee worked at the hospital between August 2007 and March of 2009. It is believed that around 600 patients may have been targets for identity theft, but only 50 incidents were linked to the former employee.

05/13/2009 United Food and Commercial Workers Union 555

a Non-Governmental Organization (includes non-profits) in Tigard, Oregon
19,000 non-financial accounts compromised
A union employee’s laptop was stolen on the East Coast. The laptop may have contained personal information of Local 555 members, including birth dates and Social Security numbers.

05/18/2009 NJ Department of Labor and Workforce Development

State Government in Trenton, New Jersey
28,000 non-financial accounts compromised
Unemployed New Jersey residents may have had their name and Social Security number accidentally delivered to an employer for which you did not work. The error occurred when department staff last month sent first-quarter reports to businesses that included a list of former employees receiving unemployment benefits. Because some companies had laid off a significant number of employees, the reports were longer than usual, requiring staff members to stuff the envelopes by hand rather by machine. Some reports were placed in the wrong envelopes.

05/19/2009 National Archives and Records Administration

Federal Government in College Park, Maryland
250,000 non-financial accounts compromised
The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures. The Archives had been converting the Clinton administration information to a digital records system when the hard drive went missing. The hard drive was left on a shelf and unused for an uncertain period of time. When the employee tried to resume work, the hard drive was missing.

05/28/2009 Aetna

a healthcare provider or servicer in Hartford, Connecticut
65,000 non-financial accounts compromised
Aetna has contacted 65,000 current and former employees whose Social Security numbers may have been compromised in a Web site data breach. The breach was a spam campaign showing that the intruders successfully harvested e-mail addresses from the Web site, although it’s not clear if SSNs were also obtained. The spam purported to be a response to a job inquiry and requested more personal information. Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach.

UPDATE (6/11/2009): Hartford health insurer Aetna Inc. is being sued. The class-action suit was filed in a Pennsylvania District Court and demands credit monitoring, punitive damages, costs and other relief for current, former and potential employees.

06/05/2009 Virginia Commonwealth University

an educational institution in Richmond, Virginia
17,214 non-financial accounts compromised
A desktop computer was stolen from a secured area within Cabell Library in mid-April. The computer may have contained student names, Social Security numbers and test scores dating from October 2005 to the present. VCU discontinued use of Social Security numbers as ID numbers in January 2007. An additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been.

06/17/2009 Blackbaud Inc.

a business other than retail in Charleston, South Carolina
84,000 non-financial accounts compromised
A computer that was stolen from a car in Charleston, SC, last year contained personal financial information on 84,000 University of North Dakota donors. The missing laptop belonged to Daniel Island-based software giant Blackbaud Inc., which stressed that all of the information was password-protected and encrypted.

06/18/2009 Suncoast Schools Federal Credit Union

a Financial or Insurance Services firm in Tampa, Florida
56,000 financial accounts compromised
Some members of Suncoast Schools Federal Credit Union have been notified that their debit card accounts were exposed to fraud. It is the latest casualty of last year’s breach of Heartland Payment Systems, one of the country’s largest credit card processors, where information from more than 100 million credit and debit card transactions was exposed. Not until the end of May did Suncoast discover that some of its customers who use Visa Check Cards could be in danger. The Tampa credit union is issuing new cards to all members whose accounts were compromised.

06/23/2009 Cornell University

an educational institution in Ithaca, New York
45,277 non-financial accounts compromised
A stolen Cornell University computer has compromised the personal information of thousands of members of the University community. The computer contains the names and Social Security numbers of current and former students as well as current and former faculty and staff members.

07/13/2009 LexisNexis

a business other than retail in Dayton, Ohio
13,329 financial accounts compromised
LexisNexis has warned more than 13,000 consumers that a Florida man who is facing charges in an alleged mafia racketeering conspiracy may have accessed some of the same sensitive consumer databases that were once used to track terrorists. The accused would provide names, addresses and account numbers as part of a fake check-cashing operation. But he’s also accused of using computer databases to get information on potential extortion or assault targets as well as individuals suspected by the Enterprise members of being involved with law enforcement.

07/16/2009 Moores Cancer Center

a healthcare provider or servicer in San Diego, California
30,000 non-financial accounts compromised
A hacker breached the Center’s computers and gained access to patients’ personal information. A letter was sent to 30,000 patients informing them that their personal information may have been in the compromised databases. Types of information in breach included names, dates of birth, medical record number, diagnosis and treatment dates and some Social Security numbers. The majority of patients’ information did not include Social Security numbers.

07/24/2009 Network Solutions

a business other than retail in Herndon, Virginia
573,000 financial accounts compromised
Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services – a package that includes everything from Web hosting to payment processing — to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores.

08/03/2009 National Finance Center

Federal Government in Washington, DC
27,000 non-financial accounts compromised
An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed.

08/13/2009 National Guard Bureau

Military in Arlington, Virginia
131,000 non-financial accounts compromised
An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. The stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates.

09/02/2009 Naval Hospital Pensacola

a healthcare provider or servicer in Pensacola, Florida
38,000 non-financial accounts compromised
Naval Hospital Pensacola will be notifying thousands of beneficiaries who use its pharmacy services, following the disappearance of a laptop computer. The computer’s database contains a registry of 38,000 pharmacy service customers’ names, Social Security numbers and dates of birth on all patients that used the pharmacy in the last year. It does not contain any personal health information.

09/05/2009 Mitsubishi Corp.

a retail business in New York, New York
52,000 financial accounts compromised
A Mitsubishi Corp. Internet shopping unit lost credit card details on 52,000 customers after its servers were hacked from overseas. The company has informed customers and relevant authorities of the leaks and has suspended the Web site until it can improve the system.

09/22/2009 Sagebrush Medical Plaza/Kern Medical Center

a healthcare provider or servicer in Bakersfield, California
31,000 non-financial accounts compromised
Thousands of patients at a Kern County health clinic have been warned their personal information could have been stolen. A break-in happened at the Sagebrush Medical Plaza in July, and Kern Medical Center officials have notified 31,000 patients to take precautions against possible identity theft. One or more unknown individuals broke into a locked storage area that contained confidential patient information. All patient information has now been moved to a location inside the clinic building.

09/25/2009 University of North Carolina, Chapel Hill

an educational institution in Chapel Hill, North Carolina
163,000 non-financial accounts compromised
A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC Chapel Hill research study. The Social Security numbers of 163,000 participants were among the information exposed. The data is part of the Carolina Mammography Registry, a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina.

UPDATE (10/6/2010): A lead researcher at the University is fighting a demotion and pay cut that resulted from the data breach in the medical study she directs. It appears that the incident first occurred in 2007 and was not discovered until 2009. An attorney representing the researcher claims that his client is not at fault because the University knew that the program’s computer system had security deficiencies in 2006. The University claims that the researcher acted negligently,but the attorney claims that the researcher was not alerted to the security flaws and there is no evidence that the researcher violated or ignored rules in obtaining patient information.

UPDATE (5/9/2011): The researcher and University reached a settlement. The researcher agreed to retire at the end of 2011 and will receive her full rank and salary until that time.

10/02/2009 U.S. Military Veterans

Military in Washington, DC
76,000,000 non-financial accounts compromised
The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals’ Social Security numbers as their service numbers.

10/06/2009 BlueCross BlueShield Assn.

a healthcare provider or servicer in Chicago, Illinois
187,000 non-financial accounts compromised
A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number.

10/15/2009 Halifax Health

a healthcare provider or servicer in Daytona Beach, Florida
33,000 non-financial accounts compromised
A laptop computer, which may have contained password protected patient information, was stolen from a Halifax Health employee’s vehicle in Orange County.

10/15/2009 Virginia Department of Education

an educational institution in Richmond, Virginia
103,000 non-financial accounts compromised
A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was misplaced. The information included names, Social Security numbers and employment and demographic information. The flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009. (877) 347-5224

10/20/2009 ChoicePoint

a business other than retail in Alpharetta, Georgia
14,023 non-financial accounts compromised
ChoicePoint has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year. In April 2008, ChoicePoint turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement. During that period, unauthorized searches were conducted for 30 days on a ChoicePoint database that contained Social Security numbers and other sensitive information.

UPDATE (9/22/2010): The Federal Trade Commission mailed checks worth $18.17 to 14,023 ChoicePoint customers. These checks were meant to cover the money and time customers spent monitoring their credit after ChoicePoint’s 2008 breach. ChoicePoint had been ordered to implement a comprehensive information security program after a 2006 breach. Due to ChoicePoint’s failure to do this, they suffered another breach and were fined.


10/21/2009 Roane State Community College

an educational institution in Harriman, Tennessee
14,783 non-financial accounts compromised
Roane State Community College has announced that the names and Social Security numbers of 9,747 current or former students were on a data storage device stolen from an employee’s vehicle, along with 1,194 current/former employees’ information. The Social Security numbers alone, with no names, were also stolen for 5,036 additional current or former students. The data was on a 4GB USB drive used for work-related purposes. An employee took it home to do work after hours, and left it in the car. The employee forgot to lock the car doors. The USB drive was stolen along with a personal hand-held device. Hotline (865) 882-4688, (866) 462-7722 ext. 4688

10/26/2009 CalOptima

a healthcare provider or servicer in Orange County, California
68,000 non-financial accounts compromised
Personally identifiable information on members of CalOptima, a Medicaid managed care plan, may have been compromised after several CDs containing the information went missing. The unencrypted data on the CDs includes member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers. The discs had been put in a box and sent via certified mail to CalOptima by one of its claims-scanning vendors, according to a statement by the health plan. CalOptima received the external packaging material minus the box of discs.

11/06/2009 National Archives and Records Administration

Federal Government in College Park, Maryland
250,000 non-financial accounts compromised
The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them. On two separate occasions the agency sent defective disk drives back to vendors under a maintenance contract, rather than destroying and disposing of them in-house.

UPDATE (1/12/2010):There was a rather large amount of data on this hard drive — as much as two terabytes of data. The NARA is having to, in effect, do a forensic analysis to try to identify individuals and their information. They had a rolling production of notices to individuals. The total had been 26,000, and then their forensic contractor came up with a new group that contained as many as 150,000 names.

UPDATE (1/27/2010) Media stories now put the number of records involved at 250,000.

11/18/2009 Health Net

a healthcare provider or servicer in Shelton, Connecticut
1,500,000 financial accounts compromised
The personal information for almost half a million Connecticut residents could be at risk after a portable disk drive disappeared from Health Net in May of 2009. Health Net is a regional health plan and the drive included health information, Social Security number and bank account numbers for all 446,000 Connecticut patients, 1.5 million nationally. The information had been compressed, but not encrypted, although a specialized computer program is required to read it. Patients in Arizona, New Jersey and New York were also affected.

UPDATE (1/22/2010): Connecticut Attorney General (AG) Richard Blumenthal is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach. The AG is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA.

UPDATE (7/7/2010): Health Net and the Connecticut AG reached a $250,000 settlement in connection with this incident.

UPDATE (10/8/2010): Health Net faces an additional $375,000 fine for failing to safeguard the personal information of its members from misuse by third parties.

UPDATE(1/20/2011): The Vermont Attorney General filed a complaint and proposed settlement with Health Net, Inc. and Health Net of the Northeast, Inc. It would require Health Net to pay $55,000 in state fees, submit to a data-security audit and submit reports about the company’s information security programs throughout the next two years.

11/18/2009 Universal American Action Network

a healthcare provider or servicer in St. Petersburg, Pennsylvania
80,000 non-financial accounts compromised
Thousands of Pennsylvanians are at risk for identity theft because postcards were sent to their homes with their Social Security numbers printed in plain view. The postcards were from the Universal American Action Network, a subsidiary of Universal American Insurance. 80,000 postcards with SSNs on them were sent to Universal clients throughout the country. More than 10,000 were mailed to Medicare participants in Pennsylvania.

12/15/2009 U.S. Army

Military in Fort Belvoir, Virginia
42,000 financial accounts compromised
A laptop computer belonging to a Family and Morale, Welfare and Recreation Command (FMWRC) employee was stolen. Types of information compromised included name, Social Security number, home address, date of birth, encrypted credit card information, personal e-mail address, personal telephone number and family member information.


12/15/2009 RockYou

a retail business in Redwood City, California
32,603,388 non-financial accounts compromised
The security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the service’s entire list of user names and passwords in the database. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that’s not before at least one hacker gained access to what they claim is all of the 32 million accounts; 32,603,388 to be exact. The database included a full list of unprotected plain text passwords and email addresses.

UPDATE(4/21/2011): The 32 million email addresses and passwords exposed include log in information from social networking sites like Facebook and MySpace. On April 18, 2011 a court ruled that the loss of information caused injury. The court determined that “the unauthorized disclosure of personal information via the Internet is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.” The court also found that RockYou.com’s privacy policy language, which stated that RockYou.com’s servers were secure, did not automatically preclude the plaintiff’s allegation that a contract had been breached because the plaintiff alleged that the servers were not secure.

UPDATE(3/27/2012): The Federal Trade Commission is alleging that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) by collecting information from approximately 179,000 children. A proposed FTC settlement order requires RockYou to pay a civil penalty of $250,000 to settle COPPA charges. In addition to the penalty, the company would be barred from future deceptive claims regarding company privacy and data security, required to implement and maintain a data security program, and barred from future violations of the COPPA rule.

12/17/2009 North Carolina Libraries

an educational institution in Raleigh, North Carolina
51,000 non-financial accounts compromised
Library users at 25 campuses were the victims of a security breach in August. The libraries collect driver’s license and Social Security numbers to help identify computer users. The information is stored on a central server in Raleigh. Other campuses affected are Alamance, Beaufort, Bladen, Blue Ridge, Brunswick, Central Carolina, College of the Albemarle, Gaston, Halifax, Haywood, Lenoir, Martin, Nash, Pamlico, Piedmont, Richmond, Roanoke-Chowan, Rowan-Cabarrus, Sandhills, Southwestern, Tri-County, Vance Granville and Wilson.

12/23/2009 Penn State University

an educational institution in University Park, Pennsylvania
30,000 non-financial accounts compromised
The University sent out letters notifying those potentially affected by malware infections, which are believed responsible for breaches. The areas and extent of the records involved in the malicious software attack included Eberly College of Science, 7,758 records; the College of Health and Human Development, 6,827 records; and one of Penn State’s campuses outside of University Park, approximately 15,000 records.

12/31/2009 Eastern Washington University

an educational institution in Cheney, Washington
130,000 non-financial accounts compromised
Eastern Washington University is trying to notify up to 130,000 current or former students whose names, Social Security numbers and dates of birth were on a computer network involved in a security breach. The student information goes back to 1987. The notification process could take up to two weeks. The University recently discovered the breach during an assessment of its network. Information-technology staff also discovered that the hacker installed software to store and share video files on the system.


In addition to sources cited above the Chronology of Data Base Breaches maintained by the Privacy Rights Clearinghouse was used. Their website is a valuable resource for those seeking information on basic privacy, identity theft, medical privacy and much more. They are highly recommended.


View the 2009 summary
Return to References page
Return to Year links page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.